I tried this working  | rex "COMMAND=\/[a-z]*\/[a-z]*\s-\s(?<service_account>[^ ]+)" ... View more

Hi @Hema_Nithya , please try this: ! rex "sudo:\s+(?<field>[^ ]+)" that you can test at https://regex101.com/r/uBkpRh/1 Ciao. Giuseppe ... View more

| rex "(?<username>[^:]*):(?<passwd>[^:]*):(?<path>[^:]*)" ... View more

What defines the start and end of the error text in each of those examples and how much of that do you want to get in error_message You could very simply do this | rex "\]:\s(?<error_message>.*)" which would take everything after the ]: to the end of the event ... View more

You could externalise the versions to a lookup file and the query could get the versions from that lookup file and use those values in the query, e.g. if you had a lookup file with  version,date_from 3.10.0-1160.92.1.el7.x86_64,2023-11-06 then the query could use a subsearch to get the latest version based on date_from field in the lookup to use in the query. As for how to update that automatically, it would depend on where your data is coming from. You could use the REST api to perform actions on the Splunk server.  ... View more

Add the following format statement to your XML <format type="color" field="Status"> <colorPalette type="expression">case(match(value, "^$$"), "#FF00FF")/colorPalette> </format> and change the field name to your field and the colour value (#FF00FF) to the one colour you want ... View more

This is a bit vague - what do your events actually look like? what are you trying to achieve? what do your expected results look like? ... View more

Using subsearch results in large number of OR operators.  It's probably more economic just doing stats | inputlookup servers.csv | eval CSV = "servers" | inputlookup append=true HR.csv | fillnull CSV value=HR | stats values(CSV) as CSV by Name ID | where mvcount(CSV) == 1 AND CSV == "servers" (Again, thanks @richgalloway for demonstrating append mode!) ... View more

Hi @Hema_Nithya , this check highly depends on the format of the version, so if the format is always the one you shared (git-2.31.1-3.el8_7 and git-2.39.3-1.el8_8), you could use a regex to extract the numeric version: | rex field=installed ".*(?<version_installed>\d+_\d+)" | rex field=shouldbe ".*(?<version_shouldbe>\d+_\d+)" so you can compare them. Ciao. Giuseppe ... View more

A new issue should be in a new question. ... View more

Add this line | fields - Server_Installed_Package ... View more

Do node_name and filespace_name fields available in same sourcetype (single) OR both sourcetypes? ... View more

It is possible to run a scheduled script to collect information from TSM using dsmadmc and SQL and store it in a comma separated file. use a universal forwarder to put this data into splunk and then extract those metrics into a dashboard. some examples: DB space Tape drives in use Scratch Tapes remaining Drives offline ... View more